Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5616:59d5fc50f602
mod_http_oauth2: Implement refresh token rotation
Makes refresh tokens one-time-use, handing out a new refresh token with
each access token. Thus if a refresh token is stolen and used by an
attacker, the next time the legitimate client tries to use the previous
refresh token, it will not work and the attack will be noticed. If the
attacker does not use the refresh token, it becomes invalid after the
legitimate client uses it.
This behavior is recommended by draft-ietf-oauth-security-topics
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 23 Jul 2023 02:56:08 +0200 |
| parents | 7565298aa197 |
| children | d8622797e315 |
comparison
equal
deleted
inserted
replaced
| 5615:308b5b117379 | 5616:59d5fc50f602 |
|---|---|
| 268 end | 268 end |
| 269 if next(token_data) == nil then | 269 if next(token_data) == nil then |
| 270 token_data = nil; | 270 token_data = nil; |
| 271 end | 271 end |
| 272 | 272 |
| 273 local refresh_token; | |
| 274 local grant = refresh_token_info and refresh_token_info.grant; | 273 local grant = refresh_token_info and refresh_token_info.grant; |
| 275 if not grant then | 274 if not grant then |
| 276 -- No existing grant, create one | 275 -- No existing grant, create one |
| 277 grant = tokens.create_grant(token_jid, token_jid, default_refresh_ttl, token_data); | 276 grant = tokens.create_grant(token_jid, token_jid, default_refresh_ttl, token_data); |
| 278 -- Create refresh token for the grant if desired | 277 end |
| 279 refresh_token = refresh_token_info ~= false and tokens.create_token(token_jid, grant, nil, nil, "oauth2-refresh"); | 278 |
| 280 else | 279 if refresh_token_info then |
| 281 -- Grant exists, reuse existing refresh token | 280 -- out with the old refresh tokens |
| 282 refresh_token = refresh_token_info.token; | 281 local ok, err = tokens.revoke_token(refresh_token_info.token); |
| 283 end | 282 if not ok then |
| 283 module:log("error", "Could not revoke refresh token: %s", err); | |
| 284 return 500; | |
| 285 end | |
| 286 end | |
| 287 -- in with the new refresh token | |
| 288 local refresh_token = refresh_token_info ~= false and tokens.create_token(token_jid, grant.id, nil, nil, "oauth2-refresh"); | |
| 284 | 289 |
| 285 if role == "xmpp" then | 290 if role == "xmpp" then |
| 286 -- Special scope meaning the users default role. | 291 -- Special scope meaning the users default role. |
| 287 local user_default_role = usermanager.get_user_role(jid.node(token_jid), module.host); | 292 local user_default_role = usermanager.get_user_role(jid.node(token_jid), module.host); |
| 288 role = user_default_role and user_default_role.name; | 293 role = user_default_role and user_default_role.name; |